190 likes | 332 Views
Linux: A Wireless Solution. Josh Joiner. Agenda. Introduction Minimum Hardware Basic Components Steps on setting up a wireless network Security Concerns and Conclusion. Introduction. What is a wireless network Wireless LANs range of coverage
E N D
Linux: A Wireless Solution Josh Joiner
Agenda • Introduction • Minimum Hardware • Basic Components • Steps on setting up a wireless network • Security Concerns and Conclusion
Introduction • What is a wireless network • Wireless LANs range of coverage • We are setting up a 802.11b (also known as Wi-Fi) implementation of a wlan. There are other implementation that can be found at http://ieee802.org/11/ • More info on wireless can be found at: • http://www.nsrc.org/wireless.html • http://www.webopedia.com/TERM/W/Wi_Fi.html
Minimum Hardware Needed • desktop or laptop(>=386) - ap • Desktop or laptop - client • Two or more 802.11b wireless cards (I use Lucent's Wavelan card) • ISA-to-PCMCIA or PCI-to-PCMCIA adapter • Hardware to set up the link from the gateway to the Internet. • A Unix-like operating system.
Basic Components of a Wireless Network • Wired Network • Gateway or Acess Point • Client(s)
How To: • Step1: Install the PCI/ISA-to-PCMCIA adapter in the gateway • Step2: Install Unix Like OS on the Gateway (desktop/laptop). I used Red Hat 7.0. • Firewall software • DHCP server • SSH server • Step 3: configure the wireless information in /etc/pcmcia/wireless.opts (see next slide for example)
My /etc/pcmcia/wireless.opts file: case "$ADDRESS" in *,*,*,*) INFO="LinuxAirport" ESSID=“name-of-network" MODE=“managed“ ##(there is several modes here) RATE="auto" KEY=“xxxxxxxxxxxxx" # KEY="s:securityisfun" # s: followed by thirteen chars, for 128-bit WEP # e.g. Lucent Gold ;; esac
How to (cont) • Step 4: Assign a wireless subnet under /etc/pcmcia/network.opts (see my next slide example) • Step 5: Setup the external (dsl/lan) network. • Step 6: Setup the firewall software in /etc/rc.d/rc.firewall (I used ipchains, see next slide for example)
/etc/pcmcia/network.opts case "$ADDRESS" in *,*,*,*) INFO="Sample private network setup" # Transceiver selection, for some cards -- see 'man ifport' IF_PORT="" # Use BOOTP (via /sbin/bootpc, or /sbin/pump)? [y/n] BOOTP="n" # Use DHCP (via /sbin/dhcpcd, /sbin/dhclient, or /sbin/pump)? [y/n] DHCP=“Y" # If you need to explicitly specify a hostname for DHCP requests DHCP_HOSTNAME="" # Host's IP address, netmask, network address, broadcast address IPADDR="192.168.1.1" NETMASK="255.255.255.0" NETWORK="192.168.1.0" BROADCAST="192.168.1.255"
/etc/pcmcia/network.opts # Gateway address for static routing GATEWAY="10.64.48.1" # Things to add to /etc/resolv.conf for this interface DOMAIN="" SEARCH="" DNS_1="" DNS_2="" DNS_3="" # Extra stuff to do after setting up the interface start_fn () { return; } # Extra stuff to do before shutting down the interface stop_fn () { return; } # Card eject policy options NO_CHECK=n NO_FUSER=n ;; esac
/etc/rc.d/rc.firewall #!/bin/sh # # rc.firewall-2.2 FWVER="1.01" echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" #Setting the EXTERNAL and INTERNAL interfaces for the network EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" # Network Address of the Internal Network # INTLAN="192.168.1.0/24" echo -e " Internal Interface: $INTLAN\n" # Load all required IP MASQ modules echo " loading required IPMASQ kernel modules.." # Needed to initially load modules # /sbin/depmod -a echo -en " Loading modules: " echo ". Done loading modules."
#CRITICAL: Enable IP forwarding since it is disabled by default since # Redhat Users: you may try changing the options in /etc/sysconfig/network from: # FORWARD_IPV4=false to FORWARD_IPV4=true echo " enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward #CRITICAL: Enable automatic IP defragmenting since it is disabled by default echo " enabling AlwaysDefrag.." echo "1" > /proc/sys/net/ipv4/ip_always_defrag echo " clearing any existing rules and setting default policy.." /sbin/ipchains -P input ACCEPT /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward REJECT /sbin/ipchains -F input /sbin/ipchains -F output /sbin/ipchains -F forward # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) # echo " setting default timers.." /sbin/ipchains -M -S 7200 10 160
# DHCP: For people who receive their external IP address from either DHCP or # BOOTP such as ADSL or Cablemodem users, it is necessary to use the # following before the deny command. # # This example is currently commented out. # # /sbin/ipchains -A input -j ACCEPT -i $EXTIF -s 0/0 67 -d 0/0 68 -p udp # Enable simple IP forwarding and Masquerading # echo " enabling IPMASQ functionality on $EXTIF" /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -i $EXTIF -s $INTLAN -j MASQ echo -e "\nrc.firewall v$FWVER done.\n"
How To (cont): • Step 7: Setup DHCPD (see sample config) • Step 8: Now you are ready to configure the clients.
/etc/dhcpd.conf subnet 192.168.1.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.1.1; option subnet-mask 255.255.255.0; option domain-name “domainname.com"; # replace this w ith the domain name of your internal net, if any option domain-name-servers 10.64.48.5; # replace this w ith the IP of your Domain Name Server range dynamic-bootp 192.168.1.128 192.168.1.255; default-lease-time 21600; # 6 hrs max-lease-time 43200; # 12 hrs } subnet 10.64.48.0 netmask 255.255.252.0 { not authoritative; }
Security Concerns and Conclusion • You can enable WEP (Wired Equivalent Privacy ) but it is not very secure. • There are other solutions for Wireless Encryption: • EAPTLS (Extensible Authentication Protocol Transport Level Security) • TKIP(Temporal Key Integrity Protocol ) • One of the better ways to implement security on a wireless network is to setup a VPN for secure access. The same client can often tunnel IPsec over wireless to a VPN gateway located between the access point and the rest of the corporate network.
Sites of Reference • http://www.oreillynet.com/pub/a/wireless/2001/03/06/recipe.html • http://www.live.com/wireless/unix-base-station.html